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AEROSPACE RELIABILITY APPLIED TO BIOMEDICINE 
by V. R. Lalli and D. J. Vargo 
Lewis Research Center 

ABSTRACT 

This paper presents an analysis that indicates that the Reliability 
and Quality Assurance methodology selected by NASA to minimize failures 
in aerospace equipment can be applied directly to biomedical devices to 
W improve hospital equipment reliability. The Space Electric Rocket Test 

project is used as an example of NASA application of Reliability and Quality 
Assurance (R&QA) methods. By analogy a comparison is made to show how 
these same methods can be used in the development of transducers, instru- 
mentation and complex systems for use in medicine. 


INTRODUCTION 

Both NASA and the biomedical industry are involved in the design and 
operation of important and complex equipment. Furthermore, these sys- 
tems must operate accurately and reliably. Failure can cause economic 
loss; even worse, it can result in the loss of human life. NASA has de- 
veloped an extensive reliability and quality assurance (R&QA) methodology. 
It is possible that this methodology could be used as the basis for an appro- 
priate R&QA program for medical instrumentation. Such a program should 
be aimed at improving equipment performance, reducing failures, and ab- 
solutely minimizing risks of personal injury or death. 

The bioinstrumentation industry today is in a situation in some ways 
comparable to the early days of the space program. NASA was faced with 
the task of adapting, advancing and rapidly applying complex technologies 
to accomplish space-flight programs. Historically, the biomedical industry 
has been characterized by the relatively leisurely application of modest 
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incremental advances of technology developed by working with animal 
subjects. This slow pace in the past allowed extended investigation by 
both manufacturers and practicing doctors on the benefits and effects of 
incorporation of these advances. Recently, however, large and rapid 
changes have been occurring in medical instrumentation; the increased 
use of medical electronic apparatus in intensive care hospital facilities 
represents one such dramatic change in biomedical technology. 

That the application of rapid changes in technology can lead to serious 
difficulties, however, can easily be established. A recent survey, (ref. 1) 
of medical electronic gear in 12 Detroit-area hospitals disclosed many 
disturbing findings. Among its findings are: 

1. Few pieces of equipment are properly maintained; 

2. Simple calibrations like adjusting a potentiometer and simple ad- 

justments like focusing an oscilloscope are not made; 

3. Dust is allowed to build up inside chassis, causing components to 

overheat; 

4. Few defibrillators accurately produce the amount of energy they 

are supposed to; 

5. Most monitoring oscilloscopes and electrocardiographs (ECG) have 

substandard frequency response; 

In addition, medical equipment was found to contain the following defects: 

6. Low quality parts were used in construction; 

7. Planning in the placement of equipment was poor; 

8. Poor grounding was found in some cases; 

9. Leakage currents were often in excess of the 10 pA level which 

has been recommended by the Veterans Administration and others 

10. Transient voltage or current surges often occurred when monitors 

were turned on; 

11. Equipment was not protected adequately from its operating envi- 
ronment; 

12. Significant waveshape changes occurred in the output equipment; 

13. Equipment was misused by being operated by untrained personnel; 
Some of these findings are illustrated in figure 1. To overcome similar 
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problems in achieving highly dependable equipment performance, NASA 
developed an extensive methodology for improving, maintaining and veri- 
fying design reliability and product quality of space program hardware. 

That this methodology works can be seen from a representative improve- 
ment in launch vehicles performance. In 1959, only 57 percent of the 
launches met test objectives. In 1967, 93 percent fully met all test objec- 
tives and these later launch vehicles were of larger size and greater com- 
plexity than those of 8 years earlier. 

The purpose of this paper is to examine illustrative parts of the meth- 
odology developed by NASA to achieve equipment reliability. There are 
many obvious differences between the space and biomedical fields, and 
much that is done to achieve reliability of space equipment is not directly 
applicable in the biomedical area. Much of the methodology should be of 
value, however, and its application should solve many equipment 
performance - use problems. 

This space related methodology for dependable equipment performance 
is based on the careful application of two existing engineering disciplines: 
(1) reliability, and (2) quality assurance. The methods selected for use in 
these disciplines are those found to be effective in the improvement of 
product performance. Reliability engineering is concerned with design 
and testing tasks in product development to ensure that the product is prop- 
erly designed to perform the assigned task without failure. Quality assur- 
ance is concerned with various control methods and qualification testing to 
ensure that the product delivered is manufactured as designed. 

This may sound like an involved way of saying *’be sure to use good 
engineering practice for each product. ” Todays complex equipment and 
systems, however, demand the assignment of specific responsibility for 
the R&QA tasks and require the application of proven techniques and meth- 
ods. The fact is that biomedical product performance problems do exist; 
the industry must do something about them. 
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RELIABILITY 

We will now consider first Reliability and then Quality Assurance. 

Reliability engineering consists of two fundamental tasks: design 
studies and product tests. The subelements under design studies are as 
follows: 

Design Criteria 

Design Practices 

Design Review 

Each of these subelements is important in achieving a reliable product with 
reliability engineered into the product as it is designed and tested. 

Design Criteria 

A product idea is conceived, and the concept includes general ideas on 
basic functions and performance. Design criteria must be established 
before the actual design is undertaken; some design criteria are listed 
below: 

1. Functional specifications; 

2. Operational requirements; 

3. Environmental specifications; 

4. Parts and materials selection procedures; 

5. Codes, standards, and specifications; 

6. Structural design factors; 

7. Electromagnetic compatibility. 

Most of these criteria are self explanatory, however, if desired, addi- 
tional information is found in existing literature (refs. 2 to 8). 

Referring to parts and materials selection procedures, one of the 
problems identified in the Detroit area hospitals’ electronic medical equip- 
ment survey was poor parts. One example given was leaking electrolyte 
from a faulty capacitor causing a resistor in an ECG to short out. NASA’s 
way of eliminating weak parts is to require that a specific detailed proce- 
dure for selecting, qualifying and screening parts, and materials be esta- 
blished. When possible, we use only those parts which are given in 
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Preferred Parts List (ref. 3). Furthermore, it is required that all parts 
be subjected to appropriate types of screening test. Screening tests are, 
of course, different for each class of part and are based on both engineer- 
ing judgment and experience. They are directly related to expected equip- 
ment performance, operating life and environment. Representative 
screening tests might be: 

• X-ray or vidicon examination to determine contamination and internal 

configuration; 

• Ten complete temperature cycles to temperature extremes, repre- 

sentative of worst case environment; measure performance pa- 
rameters before the first cycle and after last cycle; 

• Burn-in (full operation) under rated conditions; check performance 

parameters four times at selected intervals to determine the 
trend of parameter shifting; 

The reported Electrolyte leaking from a capacitor could also have been 
caused by insufficient part derating. Electrolytic capacitors normally have 
a rated voltage and temperature specified by the manufacturer. Other 
factors being equal, component -part failure rates increase with stress ap- 
plied in operation. Furthermore, even the best parts when operated at 
maximum -rated stress levels do not have sufficiently low failure rates to 
give highly reliable products. It has been established that, if the voltage 
and temperature stresses on an electrolytic capacitor are reduced by a 
factor of 0. 7, failure frequency can be reduced by two or three orders of 
magnitude . Therefore, as a design criteria, all electronic piece parts 
should be derated according to those parameters obtained either from 
existing literature or by testing (refs. 8 and 9). 

The environment that a product has to perform in, plays an important 
role in determining design criteria. Space products must contend with 
the harmful effects of such things as vibration, shock, temperature, salt 
spray, fungus and vacuum. Biomedical products would see things like 
vibration, shock, temperature, fluid spills, inexperienced operating per- 
sonnel, dust and dirt in their hospital environment. Design criteria must 
reflect the expected environment. 
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Considerations such as these lead to the design criteria for reliabil- 
ity. These criteria establish the degree of conservatism built into the 
product. The reliability engineer has the duty of making certain that ac- 
curate and complete data are available on which to base the design cri- 
teria. 


Design Practices 

Good design practices set many of the constraints for a transfer de- 
vice arrangement. A transfer device is a group of parts which accepts an 
input variable, changes the variable form and transfers the variable to a 
second location for further use. Reliability analysis is very important in 
developing proper design practices for the product transfer device arrange- 
ment. The first step in this analysis is to develop a transfer device dia- 
gram. Using probability methods and the known or predicted generic failure 
rate of the piece parts combined in transfer device arrangements, the prob- 
ability of success or reliability is calculated. However, neither the num- 
bers calculated nor the failure frequency functions used are necessarily im- 
portant at this point. What is important is the relative standing of the 
various transfer devices, for this establishes a priority listing of items to 
be worked on for improved reliability. A study of these standings is used 
to develop reliability related questions, design practices, representative 
examples of which are listed below: 

1. Are the minimum number of different parts being used? 

2. Is that new transfer device with the high failure rate really neces- 
sary? 

3. For the high failure rate items, is redesign or redundancy the 
better approach, or should both be used? 

4. Is the design in suitable form for isolating and analyzing test fail- 
ures? 

Redundancy is the use of two or more sets of selected transfer devices 
to perform the same transfer. In some cases, it is desirable and should 
be used; in others, it can cause more trouble than it cures. Recognition 
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of these conditions and the trade-offs required to make a reliable product 
is the province of the reliability engineer. Examination of the design for 
proper design practice is a continuous part of the design process. 


Design Review 

Design review is conducted in a series of formalized meetings to un- 
cover and resolve hidden weaknesses in a product transfer device arrange- 
ment. These reviews are usually held during three phases of the design 
process: conceptual, intermediate, and final design reviews. 

During the conceptual design review, the basic transfer devices of the 
product are examined. Following the preliminary design review, piece 
parts are selected, specifications are drafted and preliminary drawings 
are prepared. 

The intermediate design review is held to examine design data and 
schematics to establish that the product can do the required job and that 
the transfer devices selected satisfy the design criteria. Now the design 
is ready for a failure modes, effects, and corrective action analysis 
(FMECA). Here the reliability engineer asks the questions ’’What if . . . ?” 
and attempts to figure out specifically what the product will do if certain 
modes of failure should happen. The design is examined in considerable 
detail with the following questions in mind: 

1. How can a part or component fail? 

2. What effect does this failure mode have on product performance? 

3. How critical is this effect? 

4. Can the failure mode be obviated? 

5. When is the last time that this failure mode is tested? 

As an example of how FMECA is undertaken, consider a thrustor -power 
conditioner block diagram as shown in figure 2. There are three subsys- 
tems in this figure: (1) thrustor, (2) neutralizer, and (3) power condition- 
ing. In the thrustor subsystem, the anode supply, V^, and the cathode 
keeper supply, V-^q, were originally voltage controlled supplies (refs. 

10 to 12). The failure mode question was asked: ’’What happens if the 
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accelerator Vg arcs to some other electrode?” Since ions are present, 
more are being generated and not being removed, it is very likely that the 
slope of the discharge Volt Ampere (VI) curve will go negative. If it does 
and there are fixed voltages on V^ and V^q, their currents would only 
be limited by either the number of ions available or the supply resistances. 
For voltage controlled supplies, current surges could reach failure levels 
very quickly. This possibility was, of course, totally unacceptable and 
was avoided by obtaining a VI curve for these supplies tailored to their 
loads: high starting voltage, constant voltage in the operating discharge 
region and current limited beyond this region. 

This is a real life example. The design existed and was modified as 
the result of FMECA analysis. As design changes from such analyses 
are incorporated into a product, the product reliability is substantially 
improved. 

Failure mode data also provides guide lines for setting product tests 
specifications. Each failure mode should be examined during some phase 
of the product's testing. All critical failure modes (modes affecting patient 
safety) must be tested. 

The final design review goes over all of the transfer devices to make 
sure that no failure modes have been missed (individually or collectively) 
and that the final hardware configuration has not altered the intent of the 
design as established during the preliminary and intermediate design 
review. 

Consider the case where a molded three prong power cord has been 
selected to transfer power from a three prong wall receptacle to an elec- 
trocardiograph. During final design review, the question must be asked, 
"What if the ground wire breaks?” There is considerable evidence to 
show that patient safety is sacrificed (refs. 13 to 15). The detailed design 
properly used a three-wire power cord but no provisions were made to 
check the continuity of the third ground wire. To correct this situation, 
the power cord could be made out of clear plastic insulation and the user 
instructed to check the ground wire for opens with a visual inspection 
prior to each use of the electrocardiograph. Better still, a low current 
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ground wire continuity indicator could be placed on the instruments front 
panel and the user instructed never to use an electrocardiograph when 
this light is out (or a fail safe interlock could be provided, etc. )• It would 
be tolerable to lose a measurement but not to electrocute a patient acci- 
dentally. It is to uncover deficiencies like this that a final reliability re- 
lated design review is held. This too, by the way, is not a hypothetical 
case. A finding of the Detroit Survey was that ?, X-ray reveals broken 
ground wire in electrocardiograph’s molded plugs. " 

The product tests task under reliability engineer ing is heavily con- 
cerned with design evaluation through careful evaluation testing. A bread- 
board model of the product is usually built to verify that the basic transfer 
device arrangement is capable of meeting design criteria. The product 
testing that is conducted on the breadboard model is the first step in design 
evaluation. This testing is usually called functional testing and consists of 
the following types: 

1. Design criteria; 

2. Specification range; 

3. Worst case stress analysis; 

4. Tests for marginality. 

The functional tests prove that the system will work as designed. 

Those tests are conducted for nominal conditions, over the range of input 
and output variables and under worst case electrical and thermal conditions 
for which the product should perform properly (ref. 9). After this is suc- 
cessfully accomplished, the variables are extended (raised and/or lowered) 
usually ±10 percent to see if a slightly out of specification variable will 
cause marginal product performance. 

When a breadboard product has passed functional testing and comes 
through the final design review, prototype products can be fabricated. 

These models are usually made in an experimental shop to get the product 
records ready for production. The new product is now ready for more 
stringent design evaluation testing. Functional tests as described above 
are repeated; additional representative tests for NASA products are listed 
along with comparable tests for biomedical products: 
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NASA Proposed Biomedical 

1. Vibration Pre(erably f 1. Vibration 

2. Thermal \ combined V 2 - Thermal 

3. Pressure J 3. Shock 

4. Shock 4. Electromagnetic compatibility 

5. Acceleration 5. Corrosive solution 

6. Electromagnetic compatibility 6. Dust and dirt 

7. Rain, sand, and fungus 7. Operation by inexperienced people 

During environmental testing, the product is operated in an analogue of 
the environments it will experience in service. Qualifying a product for use 
on a spacecraft is often done by advanced stress testing (refs. 7 and 16). 
Advanced stress testing subjects the equipment to environmental conditions 
more severe than will be encountered in service. The advanced stress 
testing is carefully planned to provide predictive performance information. 
Selecting the stress to be used, planning the combinations thereof and the 
increased test levels tends to identify design deficiencies with shorter wait- 
ing periods without affecting the failure modes. 

If at all possible, the environmental tests should be conducted under 
combined conditions equivalent to those the product will see in service. 
Equipment like power conditioning supplies used on payloads or launch 
vehicles, for example, is subjected to launch vibration, temperature, and 
ascent depressurization all in one test. These tests were designed so that 
combined factors were applied as they would occur in service. 

The Detroit Survey found that in a typical hospital environment, saline 
solution could be spilled onto equipment causing corrosion and in some 
cases electrical shorting. The environment also saw dust build-up inside 
chassis, causing components to overheat and fail. Both of these environ- 
mental conditions could have been represented by environmental testing, 
and designs corrected to work reliably in this environment. Each product 
intended for hospital use with humans should be subjected to environmental 
testing which fully reflects its end use service. True, testing may increase 
the cost of a product but guaranteed no-hazard and reliable performance 
will most certainly make a premium price acceptable. 
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The next phase in testing is to show that the product has sufficient 
life expectancy for anticipated service. Life testing can be broken up 
into two categories: 

1. Sequential acceptance; 

2. Exhibited mean-time-between-failures (MTBF) 

Sequential acceptance tests help an ethical producer be sure that a product 
lot does fully meet design criteria; it protects the consumer from the pur- 
chase of a defective product (ref. 16). Test constraints can be mutually 
established or specified by a manufacturer for review by his customer. A 
product lot is either accepted, continued on test or rejected based on the 
failure -time performance during this testing. 

The exhibited MTBF test is a life test designed to determine product 
,? wear out ,f time by probability methods (ref. 17). Life tests consist of 
operating a product in a typical service environment to determine how long 
it will operate properly. The operation may be either with or without main- 
tenance depending on the expected operating conditions. A power condi- 
tioner for an electric rocket, for example, after reliability engineering, 
was life tested for more than 7000-hours maintenance free. The life test 
results supported the engineering prediction that electric rockets were 
ready for long-term space flight tests. 

The Detroit Cardiac Care Survey also found that aging defibrillators 
do not have proper output waveshapes or energy, and that most monitoring 
scopes and electrocardiographs have substandard frequency response. Such 
design deficiencies can be uncovered during MTBF life testing. If a product 
is placed on life test and operated continuously, initial and regularly re- 
peated detailed performance testing will disclose aging trends. These can 
be interpreted into predictive curved and reflected in either design appro- 
vals or design changes or in use specifications. 

To summarize, design problems are held to a minimum by building 
products from tested parts, transfer devices, subsystems, and from tested 
systems all interacting together. If something fails during any of this test- 
ing, the failure must be carefully studied to define the exact cause. If the 
failure discloses a design deficiency, the design is changed to preclude such 
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failures and appropriate portions of the design evaluation are repeated to 
verify that the failure mode has been eliminated. 

As a part of the test program, there is much to be learned from a 
careful study of each failure. Failure reporting, analysis and corrective 
action is one of the important controls used by Quality Assurance as will 
be explained in the next section. Reliability engineering is also concerned 
about each failure report as it relates to three important areas: 

1. Does this failure exhibit a design deficiency? 

2. What parts failed and why? 

3. What effect does this failure have on the products exhibited MTBF? 
An example of data produced by product failure analysis is a specific fail- 
ure that occurred when a power conditioning subsystem was being subjected 
to simulated arc testing (see fig. 2). When an arc was applied from Vg to 
Vg, a sudden failure occurred in the Vg circuit. A high voltage capacitor 
(0. 1 /I fd, 600 V) shunting the Vg current telemetry resistor had cracked 
open. The failure mode was electrical transients overstressing the capac- 
itor during the arc. The failure analysis determined that the design was 
deficient in the capacitors rated voltage was too low for arc transient con- 
ditions and an RF bypass was not included. The design was appropriately 
modified. When the prototype product successfully completes design evalu- 
ation, final drawing and process specifications are prepared. The first few 
products made by the production department are carefully examined and ex- 
haustively tested for formal qualification of both the product and the produc- 
tion facility. When all of these tests have been successfully completed, the 
product is finally ready for production, sale and public use. The task as- 
signed to Quality Assurance is that of ensuring that production units are 
made in full accordance with the design and all specifications. 

QUALITY ASSURANCE 

The best designed product is only as good as the people and materials 
finally used to make it. Quality assurance engineers participate in the task 
of determining that people with the required skills and materials of the 
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specified quality are used to build a product. Quality assurance engineer- 
ing consists of two basic parts, Control and Test. Some of the elements 
under Control are listed below: 

1. Specification review; 

2. Failure analysis and corrective action; 

3. Flight status review. 

Each of the above plays an important part in assuring that a product is 
built as specified. Even though some may appear redundant, harsh exper- 
ience has shown that all of the steps are required. Consider first the task 
of specification review. 


Specification Review 

All components for the new product must either be fabricated in-house 
or purchased. Specifications explain just what is required in each compo- 
nent in either case. Some of the usual detailed tasks accomplished by 
quality assurance engineers in this control activity are listed below: 

1. Drawing review; 

2. Configuration review; 

3. Procurement document review; 

4. Vendor survey; 

5. Fabricated article review; 

6. Component identification system; 

7. Preservation, packaging, handling, storage, and shipping review; 

8. Training and certification of personnel 

These detailed tasks are either self-explanitory or have been covered 
well in existing literature (refs. 3, 18 to 20). 

It is important that specifications be written as completely and pre- 
cisely as possible. Incomplete specifications can cause much difficulty 
as the following example will illustrate. Open-to-vacuum power condi- 
tioning equipment was manifesting a serious internal arcing problem. 

This arc is illustrated in figure 3. Various environmental tests were 
made to determine the exact cause (ref. 11), although outgassing was a 



14 


number one suspect. The outgassing specifications required that mate- 
rials used in the power conditioners have (in general terms): (1) low 

volatile content, (2) rapid release of volatiles, and (3) low long-term out- 

-5 

gassing rates. A vacuum tank pressure <1x10 torr before startup was 
also specified. Detailed quality assurance tests (fig. 4) determined that 
the power conditioning box pressure was about 2 decades higher than the 
tank pressure. The power conditioning box pressure before startup was 
subsequently specified and a maximum limit given for outgassing after 
bakeout, which corrected this particular problem. 


Failure Analysis and Corrective Action 

When a failure occurs during test, an important data point for product 
improvement has been generated. Each failure should be analyzed to 
identify the specific cause and chain of events. The analysis may uncover 
a subtle design deficiency. Proper corrective action can then be taken to 
eliminate the deficiency. Unfortunately, many product failures result in a 
’'quick fix" without detailed analysis and testing is resumed without correc- 
tion of the basic defect. Design and manufacturing techniques are not per- 
fect; mistakes, errors, and omissions will cause failures. If each failure 
receives a closed-loop analysis and corrective action, future products per- 
formance will be greatly improved. 

The problem of internal arcing in open-to-vacuum power conditioning 
equipment discussed above can also be used to illustrate that failure anal- 
ysis is not fool proof. Outgassing of the power conditioning equipment was 
brought to acceptable levels by bakeout and increasing the venting rate, 
but some internal arcing failures continued. Several other failure modes 
were investigated: magnetic fields, corona and electric fields (ref. 11), 
but failures for internal arcing still persisted. Conformal coating and 
aluminized insulating barriers were finally added to reinforce the vacuum 
insulation. These two design changes solved the problem. The final flight 
power conditioner with conformally coated circuit boards and aluminized 
insulating barriers installed is shown in figure 5. The general problem of 
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arcing in high voltage circuits in vacuum is by no means completely 
solved, by the way, and further research is underway to better under- 
stand why vacuum is a weak insulator under certain conditions. 

Failure analysis in biomedical equipment would have equal signifi- 
cance and should be conducted in the same closed-loop manner to improve 
in-hospital performance of the equipment. 


Flight Status Review 

It is a NASA policy to fully verify the flight readiness of flight hard- 
ware as a means of providing assurance of mission success. The de- 
tailed control task accomplished by quality assurance engineers in this 
activity is primarily in the area of data review. A flight component is 
considered to be flight ready only if the criteria listed below are met: 

1. Fabricated to latest released specifications; 

2. Meets all test requirements; 

3. Date of fabrication, source, serial number, and history identified; 

4. History does not contain repetitive repair, rework, or modifica- 

tions; 

5. Life limited equipment identified; 

6. History of stable operation without test anomalies; 

7. Each failure has been analyzed with corrective action to preclude 

recurrence; 

8. Each corrective action has been inspected and tested to assure 

performance; 

9. Condition is not degraded by handling or storage; 

10. Replacement components handled like flight items; 

11. Launch site activities are carefully planned to maintain readiness 

Flight readiness status in aerospace terms is not clearly comparable 

on a direct one-to-one basis to biomedical equipment use, but the eleven 
criteria given above illustrate the care -before-use philosophy of quality 
assurance. This same philosophy expressed in concrete well-planned con- 
trol activity is obviously needed in equipment for use on human patients. 
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The problems of productive, informative equipment use and human safety 
are shared by the equipment manufacturer and the using medical facility. 
It seems obvious, however, that an extensive "system planning" activity 
must be undertaken to insure that rooms full of equipment safely and re- 
liably perform the many interrelated functions intended. This critically 
necessary function is not now being performed. 

The second part of quality assurance consists of Test with the follow- 
ing subdivisions: 

1. Inspection; 

2. Acceptance; 

3. Operational. 


Inspection 

Inspection of all components that go into a product is a necessary con- 
trol function and produces data important to the quality assurance engineer. 
All components must be made in the same manner as those subjected to de- 
tailed testing if consistent results are to be obtained. Inspection must be 
thorough, and critical parameters must be identified for special attention. 
Component specifications must be consistently checked against and enforced. 
Skilled, experienced, and capable craftsmen are required for the inspection 
function. Inspection instructions must be supplemented with experience and 
often extensive training if effective quality assurance through inspection is 
going to be accomplished. 


Acceptance 

Customer reliance on the manufacturer’s inspection alone to insure 
proper product performance is not good practice. Rigorous acceptance 
tests are important to help insure performance. These acceptance tests 
operate the product in an environment analogous to the end use application. 
To illustrate the need for thorough acceptance testing, consider a repre- 
sentative transformer problem. 
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Our old friend the open -to -vacuum power conditioner was being corona 
tested. Corona activity was observed in the supply. Investigation 
showed that the output transformer in the supply, although manufac- 
tured to the qualified open-to-vacuum transformer specifications, was gen- 
erating a corona in the vicinity of the high voltage winding. Figure 6 shows 
the open-to-vacuum transformer construction details and the region in 
which 500 picocoulombs of corona was occurring. This was a potential 
failure cause that had to be eliminated; one internal arc could fail a power 
conditioner. The judicious use of acceptance testing detected the improperly 
assembled transformer, and prevented it from being installed in the flight 
power conditioner. 


Operational 

After the components have been through their individual acceptance 
tests, they are assembled and finally placed into the spacecraft. Each sub- 
system is tested. When the subsystem tests are completed satisfactorily, 
a combined systems test is conducted with all subsystems being required 
to operate while interacting with each other under simulated flight condi- 
tions. Figure 7 shows a typical operational test of an electric rocket space- 
craft. Integrated systems testing provides the opportunity to fully assess 
the operation of the completely equipped spacecraft under as many as pos- 
sible of the various environmental conditions and operational modes which 
would be encountered throughout the planned mission. 

At the launch site, the subsystem level tests are repeated to determine 
whether any damage or degradation has occurred during transportation and 
to verify that the flight hardware is compatible with the ground-support 
equipment. Finally, the spacecraft is given a final checkout on the launch 
pad. 

Subsequent to launch and during flight, all data from the flight are 
evaluated to ascertain whether the subsystems performed as predicted 
and whether any anomalies occurred. Figure 8 shows a typical flight con- 
trol center for an electric rocket spacecraft. 
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CONCLUDING REMARKS 

The methodology described briefly in this report is in no sense a 
"final” solution to all equipment performance problems. The methodology 
must be prevented from generating a paper blizzard because all the things 
that are discovered must be documented and communicated to others in the 
process of precluding a recurrence. It is important to keep the paper 
work simple, encourage simple language and short forms. Paper cannot 
replace sound, simple engineering evaluation and judgment. The meth- 
odology does serve to reduce very markedly the frequency of human or ma- 
terial failures, but obviously, it will not completely eliminate them. Also, 
the system can be costly, sometimes 10 to 15 percent of the equipments 
cost, but it can save much more. 

It is not easy to achieve reliability; it results from intentional effort 
not by accident. Simple reminders of some of the things that are required 
to achieve reliable products are listed below: 

1. Reliability is designed into a product through conscious effort on 
the part of qualified individuals. 

2. Product design must provide for adequate reliability margins. 

3. Testing is a powerful tool to evaluate a product’s design perform- 
ance. The equipment and facilities required to perform full-system en- 
vironmental tests are usually found to be well worth the cost. The product 
must provide for necessary exhaustive testing. 

4. Test specifications are important in achieving a reliable product 
and must be considered as part of the design process. 

5. It is essential to monitor and control the manufacturing and test 
processes and to maintain close adherence to specifications. 

6. Parts must be standarized as much as possible. 

7. Good housekeeping practices must be followed at all times and 
places - contamination is one of the major causes of failure. 

Both the aerospace and biomedical equipment industries are engaged 
in activities characterized by small build rates of the end products - be 
it a cardiac computer or a spacecraft. High reliability is difficult to 



19 


attain, just as difficult to maintain, and even more difficult to improve. 

It is hoped that the experience of NASA will in many ways be of value to 
the biomedical equipment industry and to the medical facilities which must 
use the equipment to produce improved medical care. 
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(a) Low quality parts were used in construction. 
Figure 1. - Medical electronics gear findings. 
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(b) Planning in the placement of equipment was poor. 
Figure 1. - Continued. 
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(d) Equipment was not protected adequately from its operating environment. 

Figure 1. - Continued. 


(c) Poor grounding was found in some cases. 
Figure 1. - Continued. 
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(e) Few defibrillators accurately produce the amount of energy they are supposed to. 

Figure 1. - Continued. 
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Figure 7. - SERT II spacecraft in operational testing. 



Figure 8. - SERT II flight control center. 
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